Hide Forgot
Description of problem: VM can't be started if it name containes like "reboot" "shutdown" Version-Release number of selected component (if applicable): selinux-policy-3.13.1-96.el7.noarch How reproducible: always Steps to Reproduce: 1.# virsh start testrebootvm error: Failed to start domain testrebootvm error: SELinux policy denies access. check libvirtd.log 2016-09-13 08:15:01.125+0000: 7967: info : virDBusCall:1558 : DBUS_METHOD_ERROR: 'org.freedesktop.machine1.Manager.CreateMachineWithNetwork' on '/org/freedesktop/machine1' at 'org.freedesktop.machine1' error org.freedesktop.DBus.Error.AccessDenied: SELinux policy denies access. 2016-09-13 08:15:01.125+0000: 7967: error : virSystemdCreateMachine:383 : SELinux policy denies access. check audit.log type=USER_AVC msg=audit(1473754630.102:1869): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { start } for auid=n/a uid=0 gid=0 path="/run/systemd/system/machine-qemu\x2d14\x2drhelreboot.scope" cmdline="/usr/lib/systemd/systemd-machined" scontext=system_u:system_r:systemd_machined_t:s0 tcontext=system_u:object_r:power_unit_file_t:s0 tclass=service exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?' type=ANOM_PROMISCUOUS msg=audit(1473754630.113:1870): dev=vnet1 prom=0 old_prom=256 auid=4294967295 uid=107 gid=107 ses=4294967295 type=SERVICE_START msg=audit(1473754630.136:1871): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=NetworkManager-dispatcher comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' type=VIRT_RESOURCE msg=audit(1473754630.315:1872): pid=7961 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:virtd_t:s0-s0:c0.c1023 msg='virt=kvm resrc=disk reason=start vm="rhelreboot" uuid=2a86fbb4-144c-4f88-be43-2818785e1287 old-disk="?" new-disk="/nfs-images/yafu/ovmf-q35-rel-eng-sec.qcow2" exe="/usr/sbin/libvirtd" hostname=? addr=? terminal=? res=success' type=VIRT_RESOURCE msg=audit(1473754630.316:1873): pid=7961 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:virtd_t:s0-s0:c0.c1023 msg='virt=kvm resrc=net reason=start vm="rhelreboot" uuid=2a86fbb4-144c-4f88-be43-2818785e1287 old-net="?" new-net="52:54:00:a0:05:16" exe="/usr/sbin/libvirtd" hostname=? addr=? terminal=? res=success' Actual results: Expected results: the guest can be started. Additional info: seem a regression for selinux, i downgrade selinux to selinux-policy-3.13.1-71.el7 , the problem go away.
Please collect all SELinux denials and attach them here: # ausearch -m avc -m user_avc -m selinux_err -m user_selinux_err -i -ts today
It's a new machine with lastest rhel tree: # ausearch -m avc -m user_avc -m selinux_err -m user_selinux_err -i -ts today ---- type=USER_AVC msg=audit(09/13/2016 18:10:07.514:22970) : pid=1 uid=root auid=unset ses=unset subj=system_u:system_r:init_t:s0 msg='avc: denied { start } for auid=root uid=root gid=root path=/run/systemd/system/machine-qemu\x2d12\x2dtestrebootvm.scope cmdline="/usr/lib/systemd/systemd-machined" scontext=system_u:system_r:systemd_machined_t:s0 tcontext=system_u:object_r:power_unit_file_t:s0 tclass=service exe=/usr/lib/systemd/systemd sauid=root hostname=? addr=? terminal=?' ---- type=USER_AVC msg=audit(09/13/2016 18:10:40.887:22982) : pid=1 uid=root auid=unset ses=unset subj=system_u:system_r:init_t:s0 msg='avc: denied { start } for auid=root uid=root gid=root path=/run/systemd/system/machine-qemu\x2d13\x2dtestrebootvm.scope cmdline="/usr/lib/systemd/systemd-machined" scontext=system_u:system_r:systemd_machined_t:s0 tcontext=system_u:object_r:power_unit_file_t:s0 tclass=service exe=/usr/lib/systemd/systemd sauid=root hostname=? addr=? terminal=?'
# rpm -qa selinux-policy\* selinux-policy-targeted-3.13.1-97.el7.noarch selinux-policy-minimum-3.13.1-97.el7.noarch selinux-policy-3.13.1-97.el7.noarch selinux-policy-sandbox-3.13.1-97.el7.noarch selinux-policy-devel-3.13.1-97.el7.noarch selinux-policy-mls-3.13.1-97.el7.noarch selinux-policy-doc-3.13.1-97.el7.noarch # matchpathcon /run/systemd/system/machine-qemu\x2d12\x2dtestrebootvm.scope /run/systemd/system/machine-qemux2d12x2dtestrebootvm.scope system_u:object_r:power_unit_file_t:s0 # If the "reboot" word disappears then the label is different: # matchpathcon /run/systemd/system/machine-qemu\x2d12\x2dtestvm.scope /run/systemd/system/machine-qemux2d12x2dtestvm.scope system_u:object_r:systemd_unit_file_t:s0 # I guess that some of the SELinux policy patterns are too broad. Most likely these: # semanage fcontext -l | grep -e '/usr/lib/systemd/system/\.' /usr/lib/systemd/system/.*halt.* regular file system_u:object_r:power_unit_file_t:s0 /usr/lib/systemd/system/.*power.* regular file system_u:object_r:power_unit_file_t:s0 /usr/lib/systemd/system/.*sleep.* regular file system_u:object_r:power_unit_file_t:s0 /usr/lib/systemd/system/.*reboot.* regular file system_u:object_r:power_unit_file_t:s0 /usr/lib/systemd/system/.*suspend.* regular file system_u:object_r:power_unit_file_t:s0 /usr/lib/systemd/system/.*shutdown.* regular file system_u:object_r:power_unit_file_t:s0 /usr/lib/systemd/system/.*hibernate.* regular file system_u:object_r:power_unit_file_t:s0 /usr/lib/systemd/system/.*xen.*\.service regular file system_u:object_r:virtd_unit_file_t:s0 #
Nice catch!
*** Bug 1378235 has been marked as a duplicate of this bug. ***
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2016-2283.html